Profiling a network, before you attack

My heart grows sad everyday when I see yet another news blurb about how some new skiddie crew just PWNED some network and wanted their 15 minutes of e-fame. Many of these attacks are executed sloppily which is why, before long, most of these crews end up in front of a jury. Getting their just rewards, if you will.

Last time, I spoke about the need to keep things secret in this industry. Some people think that is as simple as “I wanna post this secret, so I’ll do it from an alter-ego” there is still a major problem with that; OTHER PEOPLE KNOW YOU KNOW THE SECRET, and therefore your leak is still traceable back to you. even if nobody knew about your alter-ego, simply by leaking data you get cross-contamination.

Wow.. off topic already. Back to the point at hand. When you start on an attack (in your lab, or by legal means) it is throughly unwise to simply just start attacking with every known vector in your tool-belt hoping to compromise a system from the very start. Being a ninja, is all about stealth, and attacking the weakest, MOST damaging weakness, One strike to take down a titan.

Your first goal, should be to gather information, or “listen” for those who can’t seem to understand what i’m talking about. If you make noise on a network, you run the risk of alerting someone to your presence and having them start patching holes, before you ever even have a chance to use it.

It makes me sick, when I’m setting up attacks, and some Skiddie connects to my fake AP, and all my filters and logs are flooded with garbage. TURN OFF YOUR APPLICATIONS, today almost ALL your software makes calls to the Internet. When you’re attacking, or even listening. do you really think your Dropbox sync is helping? no, its sending and receiving more packets and filling up your logs with data you just have to filter out later. Twitter? BE SILENT FOOL! some of us are watching you.

When I’m gathering intel, I don’t even have music playing, you need your senses to be aware of your surroundings. you’d be surprised what you hear. In a coffee shop, where I was setting up an attack with a fake “Free Public Wifi” I overheard some customers talking to each other and it went something like this:
Customer1: “What network are you using?
Customer2: “This ‘Free Public Wifi’, its an open network, and its working pretty quick”

Any idea what we just learned? that there are 2 people using my Fake AP, and any number of other customers that overheard them, will likely log on soon too. If I had headphones on, I would not have heard that and yes, I might have noticed more traffic, but I can now listen for more information. For instance, since these two customers are friends and talking to each other, listen for Names, or relationship connections that you might be able to exploit. Don’t just dive into attacking, because its not going to get you all the information you will need down the road.

Something to try, would be to MITM one (or more) of the connections, and spy on their streams. Again, here I see people get anxious and start major attacks once they have a confirmed phish on the line. Keep in mind, much like with fishing, you need to get the hook set, so your prey doesn’t just flop off the line. In the case of Phishing, its no different. If you disrupt their internet connection, or make things work poorly, they will likely just look for a different network that doesn’t have problems. so KEEP YOUR LINES CLEAR so you can monitor the flow of data.

Finally, once you’re certain that the phish has taken your bait, SET THE HOOK and REEL them in. With hacking, and network security, the biggest phish are worth waiting for, you can be sure you’re not wasting your effort to catch a ‘minnow’ and actually catch the Great White.

Thank you for reading my ranting about you bastards polluting my networks with your noise. I hope this helps you to think before acting, and as always, ALL actions have consiquences, make sure you can HANDLE the phish you’re trying to catch, and that it wont EAT you when you pull it out of the water.

-That is all


Comments are closed.